10 Reasons Why Another Internet Worm Was Even Possible?
You probably know the answer already, but before I go into the sorry state of affairs in the IT Security world, let’s have some facts:
The Conficker worm a.k.a. Downadup and Kido, is an RPC attack that emerged last October. As viruses go, it is a well-written and well-conceived using multiple attack vectors and hiding itself well. It exploits a Windows server service (SVCHOST.EXE) vulnerability which can allow remote code execution when file sharing is enabled – hence the virus is a worm. In October 2008 Microsoft released an emergency patch (MS08-067) to fix the problem, but here we are in January 2009 and estimates suggest that about 30% of Windows machines have still not had the patch applied, which means that there are over 100 million PCs still vulnerable.
Conficker can also spread via removable drives and it also does a little bit of brute force password cracking to gain access to machines across a network. Aside from that, it a polymorphic worm just like the Storm worm of early 2007 (polymorphic means that it keeps changing itself so that it’s difficult if not impossible to detect by signature. Also like the Storm worm, which it clearly looks up to, it is building itself a botnet. But get this; infected PCs are instructed to contact one of 250 Web addresses and the list keeps changing so ISPs can’t block it. The worm also disables some security products and some system services including email. Microsoft has made a cleanup tool available to fix infected machines, but the worm blocks any attempt to get at this via the Internet.
How many machines have been infected?
“Who knows” is the answer. Initial reports suggested 1 million, then another source suggested 2.5 million, but that was quickly trumped by claims of 9 million soon to be outdone by reports of 10 million, which may just have been someone rounding the 9 million up for the joy of printing an 8 digit number. F- Secure then steamed in and estimated that the figure was in fact 15 million and it wasn’t long before everyone and his pet parakeet were claiming that 20 million computers had been infected.
Antivirus experts now agree that the number is definitely big, so their PR machines are working over time as they try to get the names of their companies mentioned in stories about the worm. I wonder, for example, how much F-Secure paid to get mentioned in this posting? I wonder if I’ll get mentioned in other postings, if I say that the number of computers infected is actually 25 million. Yep. That’ s the probably the figure.
So: 10 Reasons Why Another Internet Worm Was Even Possible
You may be thinking that the billions of dollars paid every year to AV vendors (at least $4 billion) results in the best IT security minds in the world working on the problem of preventing worms like this ever getting to infect a thousand computers, never mind tens of millions of them. So why didn’t they stop Confiker? Here’s 10 reasons why:
1. They best IT security minds in the world don’t work for AV companies.
2. Companies that could have and, perhaps, should have downloaded Microsoft’s patch didn’t. They hesitated to do so because the patch might have interfered with other software that they run. They chose to wait for other companies to be the crash-test dummies. In this instance, that was the wrong call. It’s not always the wrong call. There’s something wrong with this system. Kick the tires and a wheel falls off.
3. Many companies depend upon AV technology to stop this kind of infection. AV technology is an inadequate defense. Signature based AV technology is completely inadequate to combat this worm. Other AV products that have behavioral features may be able to stop it.
4. As an aside have you ever read reports of an AV test where any of the products stopped 100 percent of the viruses used in the test? What does that tell you?
5. Unfortunately, virus writers are just as able to buy AV products as everyone else – although doubtless they steal them rather than buy them. They test their viruses against these products before releasing the virus so they know they’ll get past the initial virus defense.
6. Worms are particularly pernicious in their ineffectiveness because they work at software speeds. This means that when they find an opening they infect at a very high rate. Meanwhile the AV vendors who are trying to combat the latest threat may spend days getting something into their product that works. The worm works faster than they do.
7. Botnets are very valuable. You can rent them out to other cybercriminals at roughly 20 cents per PC per day if you’ve got a Black Hat business network in place. And no-one’s going to be surprised if the authors of Conficker have such a network. A sustainable botnet of a million computers is worth roughly $10 million per year in recurring revenue – not in the league of a Bernie Madoff Ponzi scheme, but still “a nice little earner.”
8. The perpetrators of Conficker will not get caught. Say, when was the last author of a major virus that cost companies a fortune in remediation expenses actually caught?
9. There is technology that stops this kind of malware stone dead. It’s called whitelisting technology and it comes from companies like Bit9, CoreTrace and Lumension. The take-up of this technology has been relatively slow, but it is gaining traction. Some AV companies like Kaspersky and Symantec are using it. Once it becomes widespread, it will stop this sorry mess.
10. Too few people and businesses use MACs.
For more information on the failure of AV technology follow this link: AVID.